Slashdot videos: Now with more Slashdot!

View

Discuss

Share

We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).

New submitter cadenceaniya sends this excerpt from Polygon:
"Online games are a 'playground' for organized crime and cyber criminals, JD Sherry, vice president of technology and solutions at Trend Micro said following the news that League of Legends accounts were compromised. Earlier this week, account information — usernames, email addresses, salted password hashes, and some first and last names — for some North American League of Legends players were 'compromised' by hackers. Riot was also 'investigating that approximately 120,000 transaction records from 2011 that contained hashed and salted credit card numbers have been accessed.' The increase of free-to-play online gaming across all platforms over the years 'have opened the doors to micro-transactions in-game.' The simple and functional systems created so players can spend money effortlessly creates 'playgrounds' for cyber criminals take advantage of. 'Game platforms can have millions of users all storing sensitive information or code access for more features,' Sherry said. 'These are highly sought after in the cyber-crime underground for trading and selling in the black market. These platforms can fall victim to cyber-attacks just like any organization, especially if they have vulnerabilities that go unpatched.'"

The headline makes it sound as if the criminals are -playing- the games to steal info. They are just stealing the info same as they would from any other company. It has absolutely nothing to do with the fact that it is a game, except for the fact that the amount of players and possibly lax security make it a valuable and vulnerable target.

Indeed. And it's more about accounts than it is about games (though of course most MMOs have issues with this).

If you have a Steam account these days and you aren't using the Steamguard added security, you're mad. The trade in compromised Steam accounts is quite terrifying (and unsurprising given the value of the games stored on many of them). The same is true for PSN accounts. It's even more true for XBox Live accounts where there are fewer additional layers of password security you can bolt on (unless they've added them since I last checked) and where there are FIFA Soccer DLC packs that are tradable and essentially allow "real money" to be laundered through the accounts.

All of the passwords and credit card information was hashed and salted which is way more than we've seen from the compromises of most "real" businesses. Take my bank, for example: the passwords do not allow special characters and they're not even case sensitive! I'm quite happy that Riot has at least taken some simple steps to protect our information in the event of an intrusion. I don't know what vulnerability they fell prey to but I do know that security is a generally hard problem to solve. I'd chalk th

When I was playing EVE, it was widely rumored that the Russian mafia were also playing - using game/real currency exchange as a form of money laundering to hide the income from their real-world criminal activities. Not sure how much truth there was to the rumors.

When cargo ships routinely get ganked with in excess of $15,000 worth of ISK or ETC I think it's rather obvious someones doing something other than playing the game with all that. The only logical use for all that ISK/ETC is money laundering. They're buying up ETC cards with illegal funds then selling them for ISK, then selling the ISK for cash on a website and count the proceeds as legitimate income.

You know, this sounds like the beginning of a plot for a possibly amazing movie.

To wit: A teen and his friends gang up on a ship on EVE that is carrying an absurd amount of money. The Russian mafia tracks the IP of the teens and then goes after them, and the teens have to run for their lives.

Or even better, the Russians kidnap their parents or something, and hold them for ransom, and the kids have to go back online in EVE and capture even more ships to save their parents. Or something like that.

I suggest the 'something like that' is to have them forced to attack a rival syndicate - if they can destroy one money-laundering convoy, the operators might see how such skills could be put to use.

You can get a really triumphant finale when word gets out and a fleet of five legitimate thousand players descend to suicide-gank the laundering ships, costing the mafia so much they have no option but to abandon their money-laundering operation.

They might buy the ISK for cash on the grey market too - it might offer a better exchange rate.

If you just buy and sell money with one character it's stand out like a sore thumb in the audit logs, and records could be easily subpoened. So they probably need to have multible accounts, and shift the value between them using in-game-legitimate operations like a hauler-full-o-goods. Simple matter of avoiding easy tracking by hideing it in the noise of EVE's frantic economy. Even if investigators work out which

On the contrary, I think it has a great deal to do with it being a game. One of the problems with online crime involving MMOs, is that it is hard to get people in the real world to acknowledge internet spaceships as serious business; unfortunately this can include law enforcement. So even though hacked and looted accounts can be converted into real currency, it doesn't carry quite the same degree of real-world risk for the criminal.

As a result, an MMO operator may ends up needing better security practices

There is rarely a single motive for obviously bogus claims like this. It also distracts from current criminal actions by the Government, distracts from police illegally arresting people for protesting, distracts from banking criminals, etc... In addition, it plays on the typical gamer stereo type adding suspicion to those "gamers" that must all be like the obese griefer with no life in South Park and generates some FUD regarding a certain type of person.

Someone has been reading Reamde [wikipedia.org] lately. Anyway, that something that enables you to interact with other people can be used to interact in "wrong" ways is something that don't applies just to games, and yet, that argument is being used to demonize internet, games, even the Tor network [theregister.co.uk]. If you want to be free must accept that people could use that freedom to do bad things, and the solution is going after those people, not punishing everyone taking out freedom.

why would you bother storing hashed and salted credit card information? The only thing you could do is match it against the credit card used on the next transaction - but what does that really get you? The hashed/salted card number would be usable again (if hashed+salted properly)

One use would be for ongoing purchases in / for the game. When you sign up, they store the CC on a protected payment system that's not directly accessible from the internet. The internet-accessible server has only a secure salted hash of the CC. For a purchase, the client prompts for the CC to use, then sends the hash of it to the public server. That confirms that the user truly has presented the correct card number. The public server can then call the one and only function exposed by the payment server, billcard(hash,amount).

That way they can prove that the customer entered the card number into their game, without sending the card number over the internet.

On a more serious note. While that is a good idea, the secure payment system would still need the whole CC. While you can harden a system that only does one thing much more thoroughly, you're putting all the valuable data in one place for the attacker. It's still a good idea though, and companies should something like this.

Here's another thought. While some larger corporations have lax security for no explainable reason, cough Sony cough, many games that are bei

Yeah, that's what the vast majority of web sites do. PayPal or Google checkout for one-time purchases, CcBill or Verotel for subscriptions. That's not a bad idea.

Most site operators truly need assistance just securing the interfaces to payment processors, and securing passwords. For example, most store passwords using DES hashes (1972) or plaintext until we fix it for them. I think they are correct to focus on their core competency and let professionals with time-tested solutions handle difficult issues

A) It doesn't necessarily require that the CC be sent over the internet. You COULD phone it in. On some sites, we used to have an applet for your modem to call the payment system directly. Today's version of that would befor the game setup to include a VPN-like client. That can be followed by a confirmation call or other one-time security measures. Even if it WERE sent over the internet with no extra security, doing that once is better than doing it every time you buy a game token.

The increase of free-to-play online gaming across all platforms over the years 'have opened the doors to micro-transactions in-game.

I've always avoided any game which relies on these in-game purchases.

Firstly, because I'm cheap and have no interest in having to pay for baubles in a video game with real money. But second, because I don't necessarily trust that companies put enough effort into safe-guarding my financial information -- they put a lot of work in the glossy bits and setting up a way to get my money, but they're not as interested in keeping it secure.

If you know that a system has a vast number of credit card details stored in it, it's going to be an attractive target, because any exploit of it is going to yield a lot of stuff. In this case, it's a big giant database of credit cards and names, stored by a company who may or may not have put enough effort into protecting that.

This is why I'm of the opinion that companies need both restrictions on the kind of data they collect and use, but also some steep penalties for failure to safeguard it once they have it.

If someone can do an incompetent job of security and have their users be the ones affected by it, it has to be a lot more than "ooops, sorry".

A bit off-topic, but if games with online playability lack security, it by their choice. They certainly spy on their players enough.Get an IP sniffer.When I play StarCraft II, which insists on being online even for single-player, I get tons of connection attempts going places other than Blizzard. I block them, and gameplay does not suffer. * www.reuters.com
* www.googleanalytics.com
* akami (OK, that's for downloading updates)
* sevreral other all-digit IPs, which I also block.

First, all IP's are all digits.Second, you're seeing the connections to reuters and google because the launcher is just a wrapper which opens up a web site, it's the web site pinging those places for tracking purposes. (Side note- this is why it's better to do IP blocking on your firewall/router than using a blacklist plugin like adblock).Third, you'll only hit Akamai servers if your ISP uses them for web caching. Mostly you're pulling updates from them, sometimes it's the web pages... either way that's not

Out of curiosity, have you ever run a reverse DNS lookup on those IPs? Or is that how you figured out who the outbound connections were attempting to talk to to begin with? Google analytics sounds like SC2 is rendering a web page somewhere, and triggering the javascript. I don't own the game, so I can't check.

This is why per process firewalls are so important. I'm personally using Comodo Free myself. It pains me to admit it, but this is actually one area where Windows is ahead of Linux.

Sounds like an excellent way to launder money, as well. Virtual goods with no real inventory....

Not so much. It's easy to buy the things from the company, but as soon as you try to sell them it becomes "Real Money Trading." Game companies have always tried to stop RTM. Traditional games at least have a valid reason for this. RTM encourages criminals to use bot farming. Meanwhile, games with micro transactions don't like it because it's a secondhand market eating into there profits.

The ethics of RTM are actually quite interesting. For any game where you can buy something in game with real money,

Any fool can learn a name a postal address an email address a birthdate a social security number. Those things therefor have no value and there is not much point in obscuring them. Passwords (disgusting method, relies on users and communication cryptography, neither of which is reliable) are perhaps another matter - but hopefully if the access a password guards matters, that password is NOT used elsewhere by that user. Well, one might hope I suppose.

The passwords where hashed and salted, making them hard to crack and probably worthless, the same goes with the CC numbers. Its really a step up in security compared to other recent security breaches with other company's. I was glad to see that this company thought ahead and planned for a breach...The article doesnt mention how the breach happened and it doesn't mean that it was the company's fault.

Passwords are good if you know how to use them, biometric has the same disadvantage as a physical key does, it